TN Team’s strategic alliance, Intermedia, has been tracking a recent threat that you should be aware of that targets remote workers and reinforces the importance of good security practices. The FBI and Cybersecurity and Infrastructure Security Agency (CISA) have issued an advisory about a voice phishing (vishing) campaign that targets remote workers and new hires with phone calls that attempt to trick them into using fraudulent sites by posing as IT help desk or support, purportedly to enable their “new, secure” VPN access, but actually to steal their credentials and attack their employer.
These vishing scams have expanded into elaborate campaigns focused on gathering a company’s confidential information through utilizing the company’s own employees making it extremely difficult to detect the security breach.
VPNs are widely used in our current teleworking environment. They are designed to be a secure platform for remote employees to access your company’s network from home. VPNs are used to provide secure remote connections and to monitor activity on the network – including security breaches.
This particular attack relies on social engineering and identifying new hires and remote workers through social posts. Attackers use spoofed phone numbers for the target company, and target employees’ mobile phones.
Scammers utilize social media profiles to learn the employee’s name, location, position, length of employment and even their home address. The scammers then use phishing webpages designed to mimic your company’s internal VPN login page and call on the employee to utilize this scam page to login, thus capturing the information necessary to access your true VPN.
The FBI and CISA gives the following advice:
- Restrict VPN connections to managed devices only, using mechanisms like hardware checks or installed certificates, so user input alone is not enough to access the corporate VPN.
- Restrict VPN access hours, where applicable, to mitigate access outside of customarily allowed times.
- Employ domain monitoring to track the creation of, or changes to, corporate brand-name domains.
- Actively scan and monitor Web applications to reveal unauthorized access, modification and anomalous activities.
- Employ the principle of “least privilege” and implement software restriction policies or other controls, monitoring authorized user accesses and usage.
- Potentially deploy a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to authenticate the phone call before sensitive information can be discussed.
In addition, TN Team and our strategic alliances discourage our employees and new hires from posting announcements on social media that could make them a target, and we suggest you do the same and make them aware of this potential threat.